What we know and don't know about the SEC hack

WASHINGTON (Reuters) - The top U.S. markets regulator has revealed that hackers accessed its corporate disclosure database and may have illegally profited by trading on the information stolen.

FILE PHOTO: The headquarters of the U.S. Securities and Exchange Commission (SEC) are seen in Washington,U.S., on July 6, 2009. REUTERS/Jim Bourg/File Photo

Q: When did it happen?

A: Some time in 2016. The Securities and Exchange Commission determined in August 2017 that the hack may have led to insider trading. It disclosed the possibility of illegal trades on Sept. 20, 2017.

Q: How did it happen?

A: Hackers were able to access information that the public could not see by coming through a software vulnerability in part of the SEC’s EDGAR system for test filings.

Q: Who was behind the hack?

A: The SEC has not said who the perpetrators are. It has said it was liaising with the relevant authorities without naming them.

Q: What information was accessed?

A: The SEC has not said what information or which companies may have been exposed by the 2016 breach.

The SEC said the vulnerability was found in the test filing component of the system.

“The test filing component is where filings are uploaded on a test basis before going public,” said Timothy Harkness, U.S. partner at Freshfields.

Since virtually every filing is tested this way before going live, “essentially any of them could have potentially been compromised. It could be anything from an 8-K announcing terrible news for a company to a 10-Q announcing stronger-than-expected earnings”, said Harkness.

Many filings are released publicly shortly after the market closes, meaning that there would likely be test runs during trading hours that could give a hacker time to place an illicit trade, said Peter Jaffe, a senior associate at Freshfields.

Q: What is the SEC doing to address the breach?

A: The SEC said the vulnerability was patched promptly and it immediately began an investigation. It does not believe that the hack involved personally identifiable information, jeopardized the operations of the Commission, or put the financial system at risk.

Since May, it has worked on an initiative to bolster cyber security, including creating a working group “to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency,” according to the SEC.

Q: What is EDGAR?

A: The Electronic Data Gathering, Analysis, and Retrieval system is more than 20 years old. Publicly traded companies file registration statements, annual and quarterly reports, ownership statements, disclosures of material events and other information that investors can access and read for free. Infiltrating the SEC system to review announcements before they are released publicly would offer hackers an opportunity to trade on that information.